Ubisoft Browser Plugin Patched to Fix Security Vulnerability

It seems the last version of Ubisoft’s browser plugin, which came as part of their UPlay client, had a serious vulnerability that could allow some malicious websites to take control of computers.

Programmer Tavis Ormandy, who alerted the world using SecLists.Org’s “full disclosure” mailing list, identified the issue. The back door has potentially been left open to anyone with Assassin’s Creed 2 to through to Revelations, HAWX 2, Splinter Cell: Conviction and Ghost Recon: Future Soldier amongst others (see full list below).

"While on vacation recently I bought a video game called 'Assassin's Creed Revelations'. I didn't have much of a chance to play it, but it seems fun so far. However, I noticed the installation procedure creates a browser plugin for its accompanying UPlay launcher, which grants unexpectedly (at least to me) wide access to websites," Ormandy explained.

"I don't know if it's by design, but I thought I'd mention it here in case someone else wants to look into it (I'm not really interested in video game security, I air-gap the machine I use to play games)."

In order to demonstrate he wasn’t simply trolling Ubisoft, Ormandy created a proof of concept. The demonstrative website will boot up Calculator on PCs with UPlay installed after users make a visit.

Ubisoft has been pretty quick to release an update to UPlay that only lets the browser plugin launch the UPlay application.

There’s a pretty large amount of damaging stuff a hacker could do to your computer while in control of it so if you’ve got UPlay on your system we recommend opening it up and letting it update as soon as possible.